In this post we will give a brief overview of the upgrade path from CCIE Security v2.0 blueprint to v3.0. First off all, let’s start with the good news to everyone who was preparing using the old blueprint: most of things you have learned are incorporated smoothly in the new blueprint. Basically, the only thing to forget is your VPN3k configuration skills :) Everything else either remains the same or experiences an “incremental update”, like LAN-to-LAN VPNs with IPsec VTI interfaces. Let’s quickly review the changes made to the hardware and how they could potentially affect you.

  • Removal of the PIX and VPN3k devices, which is natural as both are EOL and EOS. Therefore, forget all about VPN3k menu system and enjoy the simpler topology without the PIX ;) However, to some people, getting a PIX is more affordable than getting an ASA. In this case, remember that the latest software release supported by the PIX is 8.0(4) (not the 8.1) and you cannot configure SSL VPN on PIX. Still, you can practice almost 90% of all the firewall features using the PIX.
  • Change from the Catalyst 3550 to 3560 models. From the security features standpoint, nothing has seriously changed. You can even continue using the older 3550 model, as they are probably cheaper to get nowadays.
  • The so much awaited upgrade from IOS 12.2T to IOS 12.4T. First of all, this might require a change in the hardware platforms you are using. If you were using non-ISR or non-2600XM routers, you will need to change the hardware platform to at least 2600XM with full flash/RAM memory (to run the Advanced Security feat. set) or the 1841 ISRs. Note that using Dynamips you can play with all 12.4T features without getting your hands around any real gear. Secondly, 12.4T introduces a ton of new features, as compared to the dusty 12.2T. However, it’s not that scary as it might look like. Most of the new security features relate to IOS PKI, some AAA enhancements, bunch of advanced VPN topics and infrastructure security. Probably, all the most notable features are VPN/Firewall related: IPsec VTI, WebVPN/SSL VPN support in IOS, DMVPN Phase3, GET VPN; Zone-Based and Transparent firewall, CBAC enhancements. Later in this document we will see those features detailed as the upgrade list of the new SC VOL1 labs.
  • ASA software upgrade from 7.x to 8.x. While is a major version jump, it does not imply the huger change in the CLI as it was with the upgrade from 6.x to 7.x. There is quite a bunch of new features in 8.x code (you will see the list later) but most of them are minor ones. Most likely you will enjoy things like Dynamic Access Policies, LDAP Authentication and Authorization, Secure Desktop Enhancements, EIGRP Support (who needs that?:), Transparent Firewall NAT and Traffic Shaping. However, if you are solid with the code version 7.x you wont face big problems mastering the new topics.
  • IPS software upgrade from 5.1 to 6.1 and the platform change to 4240. The catch here is that IPS v6.1 does not support many older IDS/IPS appliances, such as 4215 or 4235 and getting a 4240 might be expensive. However, there is some good news still. The CLI has not changed as much as it did with the 4.x to 5.1 upgrade, and all your 5.1 knowledge remains valid and up to date. The most notable new features are Virtual Sensors, Anomaly Detection, Threat Rating and the new IPS Manager Express. If you are OK with doing all your configurations via CLI, you can stick with IPS v6.0 which you could run on the older platforms (4215, 4235) as there are just minor differences between 6.0 and 6.1 (mostly related to IPS Manager Express). Probably the best news is that the old 4215 platform could be successfully emulated in VMware.

Now, let’s look at the v2.0 to v3.0 upgrade path that you can take with out products. Below is the list of the VOL1 technology labs. You can see the outdated topics being deleted and the new topics (which are being developed) highlighted. Naturally, many older labs remain perfectly valid for the new track, and you can continue practicing them while waiting for the upgrade being released. We also decided to keep the NAC labs, even though NAC is not on the current blueprint, mostly because it gives you a perfect scenario for advanced ACS configuration. Of course, if you own our current v2.0 products, you will receive the v3.0 updates free of charge.



VLANs and IP Addressing
Configuring and Authenticating RIP
Configuring and Authenticating OSPF
Configuring EIGRP Support
Redistribution, Summarization and Route Filtering


Common Configuration
Filtering with IP Access Lists
Using Object Groups
Administrative Access Management
ICMP Traffic Management
Configuring Filtering Services


Dynamic NAT and PAT
Static NAT and PAT
Dynamic Policy NAT
Static Policy NAT and PAT
Identity NAT and NAT Exemption
Outside Dynamic NAT
DNS Doctoring with Alias
DNS Doctoring with Static
Same Security Traffic and NAT
Transparent Firewall NAT


Firewall Contexts Configuration
Administrative Context and Resource Management
Active/Standby Stateful Failover with Failover Interface
Active Stateful Failover with Failover Interface
Monitoring Interfaces with Active/Active Failover
Filtering with L2 Transparent Firewall
ARP Inspection with Transparent Firewall
Filtering Non-IP Traffic with L2 Transparent FW
Handling Fragmented Traffic
Handling Some Application Issues
BGP Through the PIX/ASA Firewall
Multicast Routing across the PIX/ASA
System Monitoring
DHCP Server
Standby Interfaces
ASA Local CA
Cisco Secure Desktop
VLAN Support for RA VPN
Inspection for Web/SSL VPN Traffic
Enhanced Service Object Groups
Enhanced ASA protection (Threat Detection)
Persistent IPsec Tunneled Flows


HTTP Inspection with MPF
Advanced FTP Inspection
Advanced ESMTP Inspection
Authenticating BGP Session Through the Firewall
Implementing Traffic Policing
Implementing Traffic Shaping
Implementing Low Latency Queueing
TCP Normalization
Enhanced TCP Normalization
Management Traffic and MPF
ICMP Inspection Engine



IOS Router and the PIX/ASA
IOS Router and VPN3k


IOS and the PIX/ASA with PSK
IOS and the PIX/ASA with PSK and NAT on the Firewall
IOS and the PIX/ASA with Digital Certificates
IOS and the PIX/ASA: Matching Name in Certificate
IOS and IOS with PSK Across the PIX/ASA
IOS and IOS with PSK Across the PIX/ASA and NAT
IOS and IOS with PSK Across the PIX/ASA with Overlapping Subnets
IOS and IOS with PSK Across the PIX/ASA and NAT with IKE AM
IOS and IOS with Digital Certificates Across the PIX/ASA
IOS and VPN3k with PSK
IOS and VPN3k with PSK using CLI only
IOS and VPN3k with Digital Certificates
IOS and VPN3k with PSK: Tuning IPsec Parameters
IOS and VPN3k: Filtering Tunneled Traffic


GRE Tunnels over IPsec with Static Crypto Maps
GRE Tunnels over IPsec with Crypto Profiles
IPsec VPN Enhancements: VTI Support
IPsec VPN Enhancements: Encrypted PSK
IOS CA: Subordinate/RA Mode IOS Certificate Server (CS) Rollover
IOS CA: Key Rollover for Cerificate Renewal
Certificate ACLs
Dynamic Access Policies


VPN3k and Cisco VPN Client
VPN3k and Cisco VPN Client with Split-Tunneling
VPN3k and Cisco VPN Client with HoId-Down Route
VPN3k and Cisco VPN Client with RRI
VPN3k and Cisco VPN Client with DHCP Server
VPN3k and Cisco VPN Client with RADIUS Authentication
VPN3k and Cisco VPN Client with External Group
VPN3k and Cisco VPN Client with Digital Certificates
VPN3k and IOS ezVPN Remote Client Mode with Split-Tunneling
VPN3k and IOS ezVPN Remote NW Extension Mode with RRI
IOS and IOS ezVPN Remote Client Mode with Xauth/RRI
IOS and IOS ezVPN Remote NW Extension Mode with Xuath/RRI
PIX/ASA and Cisco VPN Client with Split-Tunneling/Xauth/RRI
PIX/ASA and Cisco VPN Client with External Policy
PIX/ASA and Cisco VPN Client with RADIUS
PIX/ASA and Cisco VPN Client with Digital Certificates
The PIX/ASA and IOS ezVPN Remote NW Extension Mode
ezVPN Ehancements: Multiple Inside/Outside Interfaces
ezVPN Ehancements: Proxy DNS
ezVPN Ehancements: Peer Hostname
ezVPN Ehancements: VTI Support
ezVPN Ehancements: DPD Enhancements


ASA and WebVPN Client
ASA and WebVPN Port Forwarding
ASA and SSL VPN Client
AnyConnect VPN in IOS
AnyConnect VPN in ASA
WebVPN Configuration in IOS
VPN3k and WebVPN Client
VPN3k and WebVPN Port Forwarding


IOS and the PIX/ASA: Policing the L2L IPsec tunnel
IOS and VPN3k: QoS for L2L Tunnel
PIX/ASA and Cisco VPN Client: Per-Flow Policing
QoS Pre-Classify for IPsec Tunnel


Decoding IPsec Debugging Output on VPN3k
IPsec and Fragmentation Issues
ISAKMP Pre-Shared Keys via AAA
IPsec NAT-T: L2L Tunnel with VPN3k and IOS Box
IKE Tunnel Endpoint Discovery (TED)
IPsec VPN High-Availability with HSRP
IPsec High Availability with NAT and HSRP
IPsec Pass-Through Inspection on the PIX/ASA
L2TP over IPsec between the ASA and Windows 2000 PC
VPN3k and PPTP Client
Using ISAKMP Profiles
Group Encrypted Transport (GET) VPN
Advanced DMVPN
DMVPN Phase 3
ASA Persistent IPsec Tunneled Flows


Common Configuration
Basic Access-Lists
Reflexive Access-Lists
Dynamic Access-Lists
Stateful Inspection with CBAC
CBAC Port-to-Application Mapping
Preventing DoS Attacks with CBAC
CBAC Performance Tuning
Authentication Proxy with RADIUS
Content Filtering with IOS Firewall
IOS Zone-Based Firewalls
ACL IP Option Selective Drop
IOS L2 Transparent Firewall
CBAC Enhancements (e.g. Self-traffic inspection)
Application Firewall (HTTP Inspection, HTTP Applications, Instant Messaging)
Flexible Packet Matching


Using RADIUS/TACACS+ for telnet Authentication
Using RADIUS/TACACS+ for Exec Authorization
TACACS+ for Command Authorization
TACACS+ Command Accounting
Service Authorization with TACACS+
Using LDAP for Authentication and Authorization
VPN AAA Authentication and Authorization
Using IOS Local AAA
Switchport Authorization with 802.1x
Using ACS RADIUS Profiles
Certificate-Based Authentication


ACS Setup for NAC
NAC L3 IP With the ASA and Cisco VPN Client
NAC L3 IP with VPN3k and Cisco VPN Client



IPS Initial Setup
Configuring Inline VLAN Pair
Promiscuous Mode Monitoring with RSPAN
Monitoring IPS with IPS Event Viewer


Configuring Event Summarization
Creating Custom Signature
Event Counting
Inline Blocking
Event Action Override
Event Action Filtering
IPS Network Access Control (Shunning)
Rate Limiting with IPS


Virtual Sensors
Sensor Password Recovery
Anomaly Detection
TCP Session Tracking Modes
Threat Rating
Sensor Configuration via IME



Mitigating ARP Spoofing Attack with PIX/ASA
Mitigating DHCP Attacks with DHCP Snooping
Mitigating ARP Attacks in DHCP Environment
Mitigating MAC/IP Spoofing in DHCP Environment
Protecting Spanning-Tree Protocol
Protecting Against Broadcast Storms
Mitigating VLAN Hopping Attacks
Protecting Against Network Mapping
Blackhole Routing using PBR
Intrusion Prevention with PIX/ASA
Mitigating Malicious IP Options Attack
Protecting Against MitM attacks

The VOL2 upgrade will be taking place in parallel with VOL1 updates. What you should expect is removal of the VPN3k and (probably) PIX and the changes to the approximately 30% of the material. Many of the existing v2.0 tasks will remain the same, so you can practice the existing material, ignoring anything related to VPN3k (but not the PIX, as many of the PIX features remain unmodified in the new blueprint).

Good luck with your studies!

Further Reading:
CCIE Security Lab Expanded Blueprint

About Petr Lapukhov, 4xCCIE/CCDE:

Petr Lapukhov's career in IT begain in 1988 with a focus on computer programming, and progressed into networking with his first exposure to Novell NetWare in 1991. Initially involved with Kazan State University's campus network support and UNIX system administration, he went through the path of becoming a networking consultant, taking part in many network deployment projects. Petr currently has over 12 years of experience working in the Cisco networking field, and is the only person in the world to have obtained four CCIEs in under two years, passing each on his first attempt. Petr is an exceptional case in that he has been working with all of the technologies covered in his four CCIE tracks (R&S, Security, SP, and Voice) on a daily basis for many years. When not actively teaching classes, developing self-paced products, studying for the CCDE Practical & the CCIE Storage Lab Exam, and completing his PhD in Applied Mathematics.

Find all posts by Petr Lapukhov, 4xCCIE/CCDE | Visit Website

You can leave a response, or trackback from your own site.

30 Responses to “Migrating to CCIE Security Lab Blueprint v3.0”

  1. Shawn Zandi says:

    NetFlow? on Version 8? I think its not supported on normal ASAs maybe 5580…

  2. Brian Spade says:

    Hi Petr,

    Thanks for the very informative post on CCIE Security 3.0. As someone interesting in studying for the CCIE Security in the near future, would it be possible to post a “Building your CCIE Security rack” similar to what IE has done for the R&S?


  3. GET VPN is available for configuration in 12.4T within dynamips. I am currently using GSN3 for config exercises until our equipment arrives.

  4. SickMonkey says:


    That doesn’t sound as bad as I thought.

    I do have a couple of questions:

    1. Will 3640′s run the correct code?
    2. Do you have an eta on the new WB and COD versions?


  5. Rizzo says:

    That’s Great News!

    Any idea about release of new WBs?? I have setup my home rack according to BluePrint V2 but preparing for V3. Is there any change in physical connections, Lab topology and initial config files? As you mentioned PIX and VPN3K will be removed. If yes when are you going to release information about it, so we can re-design our rack connections/topology.

    Thanks a lot

  6. Rizzo says:

    Oh! I would love to know about the availbilty of new CODs and Breakdown Labs too. I hope IE this time will increase the bar on their Security WBs, as in past some people wasn’t recommending it with full faith. But I bought WBs V2 ones and I would personally prefer to have some brief explanations instead of just final config of each lab in Vol1. Just thoughts!

  7. To Joshua Walton

    Thanks for confirming this, personally never had time to test it on Dynamips! :)

  8. To: Rizzo

    Removing the PIX and the VPN3k most likely will not result in cabling changes, we plan to leave the topology compatible with the previous releases. So simply unplug both devices from your switches and upgrade the hardware/software versions :)

    Also, we do plan on adding breakdowns to SC VOL1 labs, like we did with RS VOL1 products. There is no fixed timeline for the new workbooks, as all updates would be incremental and start this month.

  9. ouaja says:

    anyconnect stuff is not testable since you can not run it from TSE !

    Seure desktop and NAP are tedious and perhaps not feasaible with CLI so since asdm is not for the lab, most probably they are … skippable!


  10. Piotr Kaluzny says:


    What about NAC Framework?


  11. To: ouaja

    Well, i think you can overcome the SSL VPN and RDP issue by using something like VNC. Not sure if they have this option in the real lab.

    As for NAC Framework, it’s been listed in the blueprint for quite a while. However, due to its complexity and lots of bugs involved in implemantation, you could probably skip it and focus on other topics.

    We are going to have NAC and SSL VPN covered in our products still.

  12. Petr first of let me admit that i am a great admirer of your work truly inspirational.

    I have query regarding IPS. There are many who are using ips 4215 or 4210 I am not sure about 4210 bit 4215 does support 6.0 though 6.1 is not supported.

    The blueprint mention use of IDM for IPS I would not think that they will ask candidates to work with IME that is much more of a management tool.

    so say if we are supposed to be using IDM and not IME then things are not as dismal.

    Waiting for your views sir

  13. Ian says:

    Hi Petr,

    When you say there is no fixed timeline for the updates and that they will be incremental starting this month, do you anticipate all the materials being upgraded on or before the new lab blueprint takes effect?

    I’m in a position where I’m about to start my lab study but have already bought my workbooks/videos but I’m concerned that I won’t be able work through the lab coursework as fast as I want if I’m waiting on the updates being released.

    I plan on studying the areas that overlap first but when those are complete my worry is that the newer materials won’t be ready – do you expect that to be a problem?

    While I am posting.. thank-you very much for all your great blog posts – they are excellent, detailed and a great help.



  14. Karthik Krishnamurthy says:

    Hi Petr ,

    Thank you for this update . you left out one of the topics in the blueprint ..” Implement Control Plane and Management Plane Security” .. is this going to be covered in the new material as well.



  15. Allam says:

    Hi Petr,

    Will IE be upgrading IPS devices in racks to use 6.1?



  16. Allam Hassan says:

    Hi Petr,

    Will IE be upgrading IPS devices in racks to 6.1?



  17. Maher El Zein says:

    Hi Petr,

    Thank you very much for this great article. It’s more than helpful.


  18. To: chandan sharma

    I believe you are pretty safe by relying on IDM/CLI rather than IME. Personally I prefer using pure CLI :)

    Plus, the IPS 6.0 version covers virtually every relevant feature found in 6.1, so you can still use the older appliances and save money on buying the newer 4240.

  19. To: Karthik Krishnamurthy

    Ooops, looks like I forgot to mention the labs on the Control Plane policing features in IOS. As for the ASA platform, the control plane security will be covered under the “Threat Detection” labs.

  20. Steve says:

    The official lab 3.0 blueprint says that all routers will be running Adv Ent Services…
    is running the Adv Sec image ‘good enough’ for our labs? I would have to upgrade the ram/flash on my 2620xm’s to run adv ent services but not adv security images.

  21. Rizzo says:


    I must tell you if you are using 2600XM router in your setup then you can’t run SSL VPN on them. So you need at one ISR router in your rack or correct me.


  22. To: Rizzo,

    yes, we plan to add a couple of 1841 ISRs to the topology, possibly replacing R1 and R2.


  23. _Wikki_ says:

    Hi Petr,

    Can you please tell us about any update, how far IE has reached updating the CCIE Security workbooks and COD and is there a possibility of any expected release date in near future.


  24. Vinod says:

    Hi Petr,

    Please provide an expected dated when your new workbooks will be released!


  25. nick says:


    Can you set me straight. I’m building a small IE lab for home and a a little unsure if I should get 2621 routers or not? If the answer is yes, you can still use them in the new 3.0 blueprint, can you please tell me the exist ios file name that I should have? Thanks
    ( I plan to have a couple of 1841 too)

  26. Sri says:


    Is there any information on “Building your CCIE Security rack”.

    Am in the process of building one, am looking for some info like the one we have for R&S lab.


  27. Ajay says:

    Hi Petr,

    Thanks for listing down the changes in detail, its very helpfull.

    Are you going to provide the upgrade for the CODs as well and when?


    • Ajay,

      I can’t tell you the exact dates for the new CoD right way. Most likely, we will release incremental updates to the exisiting material when we’ll have enough VOL1 labs released. This should be around late April-Early May. Might be faster, but i’m trying to give the realistic timeline :)

  28. VPN-Dienst says:


    [...]Migrating to CCIE Security Lab Blueprint v3.0 | CCIE Blog[...]…


Leave a Reply


CCIE Bloggers